fredrik/logcheck
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Några nya regler

Browse Source
This commit is contained in:
fredrik
2018-02-06 08:26:48 +01:00
parent 1d5651a9b4
commit 4ec0ca12c3
3 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
logcheck_debian
View File

@@ -323,8 +323,9 @@
#Apr 15 19:27:33 nada saslauthd[1732]: do_auth : auth failure: [user=backuppc ] [service=smtp] [realm=wahlberg.se] [mech=shadow] [reason=Unknown]
#Apr 2 16:58:34 nada saslauthd[619]: do_auth : auth failure: [user=prueba] [service=smtp] [realm=] [mech=shadow] [reason=Invalid username]
#Apr 2 19:08:45 nada saslauthd[604]: do_auth : auth failure: [user=backup] [service=smtp] [realm=] [mech=shadow] [reason=Incorrect password]
#Feb 6 02:20:14 nada saslauthd[610]: do_auth : auth failure: [user=Adm1n!] [service=smtp] [realm=#] [mech=shadow] [reason=Invalid username]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:blank:]]+: auth failure: \[user=([ -_.@[:alnum:]]+)?\] \[service=(smtp)?\] \[realm=([-_.@[:alnum:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error|Invalid username|Incorrect password)\]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: do_auth[[:blank:]]+: auth failure: \[user=([[:print:]]+)?\] \[service=(smtp)?\] \[realm=([[:print:]]+)?\] \[mech=(pam|shadow)\] \[reason=(Unknown|PAM auth error|Invalid username|Incorrect password)\]
#Apr 13 09:42:28 kvarnen saslauthd[620]: pam_unix(:auth): authentication failure; logname= uid=0 euid=0 tty= ruser= rhost=
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: pam_(krb5|unix)\((dovecot)?:auth\): authentication failure\; logname=([-.@[:alnum:]]+)? uid=[[:digit:]]+ euid=[[:digit:]]+ tty=(dovecot)? ruser=([-.@[:alnum:]]+)? rhost=([.:[:xdigit:]]+)?
@@ -570,7 +571,8 @@
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate a key exchange method \[preauth\]
#Mar 17 09:44:38 marconi sshd[27920]: fatal: Unable to negotiate with 212.129.20.230 port 51562: no matching cipher found. Their offer: aes256-cbc,rijndael-cbc@lysator.liu.se,aes192-cbc,aes128-cbc,arcfour128,arcfour,3des-cbc,none [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: fatal: Unable to negotiate with [.[:digit:]]+ port [[:alnum:]]+: no matching cipher found. Their offer: .* \[preauth\]
#Feb 5 05:36:40 marconi sshd[12309]: Unable to negotiate with 36.255.159.233 port 65061: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc [preauth]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]:( fatal:)? Unable to negotiate with [.[:digit:]]+ port [[:alnum:]]+: no matching cipher found. Their offer: .* \[preauth\]
#Apr 27 12:36:56 kvarnen sshd[26293]: Bad protocol version identification 'GET http://clientapi.ipip.net/echo.php?info=20160427185402 HTTP/1.1' from 106.184.2.29 port 7680
#May 13 16:59:50 kvarnen sshd[21380]: Bad protocol version identification '' from 171.13.14.52 port 59637

4
logcheck_ubuntu
View File

@@ -90,7 +90,9 @@
#Nov 2 11:19:59 marconi sshd[20563]: Connection closed by authenticating user root 58.214.22.74 port 6920 [preauth]
#Nov 2 11:55:16 marconi sshd[496]: Connection closed by authenticating user root 112.29.245.145 port 2049 [preauth]
#Nov 16 12:17:47 marconi sshd[32197]: Connection closed by invalid user cloud-user 115.47.122.242 port 6920 [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by ((invalid|authenticating) user [-.@[:alnum:]]+ )?[.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
Feb 5 07:17:24 marconi sshd[31872]: Connection closed by invalid user sap_user 47.205.250.5 port 33272 [preauth]
Feb 5 14:59:07 marconi sshd[21801]: Connection closed by invalid user 0101 5.188.10.179 port 60847 [preauth]
\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ sshd\[[[:digit:]]+\]: Connection closed by ((invalid|authenticating) user .* )?[.:[:digit:]]+ port [[:digit:]]+ \[preauth\]
#Mar 2 13:42:26 marconi sshd[25003]: Received disconnect from 155.4.131.66 port 2983:11: disconnected by user
#Mar 2 17:00:04 marconi sshd[31419]: Received disconnect from 116.31.116.18 port 20137:11: [preauth]

5
testlog
View File

@@ -628,6 +628,11 @@ Nov 16 12:17:47 marconi sshd[32197]: Connection closed by invalid user cloud-use
Nov 30 06:02:55 marconi sshd[23738]: error: Received disconnect from 103.99.0.207 port 63247:14: No more user authentication methods available. [preauth]
Feb 5 13:02:12 nada milter-greylist: ignoring message beyond maxpeek = 0
Feb 5 13:07:56 nada milter-greylist: ignoring message beyond maxpeek = 0
Feb 5 05:36:40 marconi sshd[12309]: Unable to negotiate with 36.255.159.233 port 65061: no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,aes192-cbc [preauth]
Feb 5 07:17:24 marconi sshd[31872]: Connection closed by invalid user sap_user 47.205.250.5 port 33272 [preauth]
Feb 5 14:59:07 marconi sshd[21801]: Connection closed by invalid user 0101 5.188.10.179 port 60847 [preauth]
Feb 6 02:20:14 nada saslauthd[610]: do_auth : auth failure: [user=Adm1n!] [service=smtp] [realm=#] [mech=shadow] [reason=Invalid username]
Aug 23 18:39:24 nada fredrik[1713]: Kontrollrad. Syns detta har vi problem...
Aug 23 18:39:24 nada fredrik[1713]: Sista raden